There is no description at this point.
rule win_lurk_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-11-21" version = "1" description = "Detects win.lurk." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk" malpedia_rule_date = "20221118" malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af" malpedia_version = "20221125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff7508 ff15???????? 8b35???????? 50 ff7508 } // n = 5, score = 1100 // ff7508 | push dword ptr [ebp + 8] // ff15???????? | // 8b35???????? | // 50 | push eax // ff7508 | push dword ptr [ebp + 8] $sequence_1 = { 8b4508 5b 5f 5e c9 c3 55 } // n = 7, score = 900 // 8b4508 | mov eax, dword ptr [ebp + 8] // 5b | pop ebx // 5f | pop edi // 5e | pop esi // c9 | leave // c3 | ret // 55 | push ebp $sequence_2 = { 56 57 be00001000 56 6a40 ff15???????? 8bf8 } // n = 7, score = 800 // 56 | push esi // 57 | push edi // be00001000 | mov esi, 0x100000 // 56 | push esi // 6a40 | push 0x40 // ff15???????? | // 8bf8 | mov edi, eax $sequence_3 = { eb20 ff752c ff7528 ff7524 ff7520 } // n = 5, score = 800 // eb20 | jmp 0x22 // ff752c | push dword ptr [ebp + 0x2c] // ff7528 | push dword ptr [ebp + 0x28] // ff7524 | push dword ptr [ebp + 0x24] // ff7520 | push dword ptr [ebp + 0x20] $sequence_4 = { 8b4d08 51 ff15???????? e9???????? 8be5 } // n = 5, score = 800 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 51 | push ecx // ff15???????? | // e9???????? | // 8be5 | mov esp, ebp $sequence_5 = { 53 8bc7 6a0b 99 5b f7fb 8a5415f0 } // n = 7, score = 800 // 53 | push ebx // 8bc7 | mov eax, edi // 6a0b | push 0xb // 99 | cdq // 5b | pop ebx // f7fb | idiv ebx // 8a5415f0 | mov dl, byte ptr [ebp + edx - 0x10] $sequence_6 = { 59 59 83f801 750d 8d85fcfeffff 50 } // n = 6, score = 800 // 59 | pop ecx // 59 | pop ecx // 83f801 | cmp eax, 1 // 750d | jne 0xf // 8d85fcfeffff | lea eax, [ebp - 0x104] // 50 | push eax $sequence_7 = { ebf8 56 8bf0 33c0 85d2 8bca } // n = 6, score = 800 // ebf8 | jmp 0xfffffffa // 56 | push esi // 8bf0 | mov esi, eax // 33c0 | xor eax, eax // 85d2 | test edx, edx // 8bca | mov ecx, edx $sequence_8 = { 85c0 750d 8d85ccfdffff 50 e8???????? 59 8d45cc } // n = 7, score = 800 // 85c0 | test eax, eax // 750d | jne 0xf // 8d85ccfdffff | lea eax, [ebp - 0x234] // 50 | push eax // e8???????? | // 59 | pop ecx // 8d45cc | lea eax, [ebp - 0x34] $sequence_9 = { c1e910 0fb6d1 8b4df4 8b0481 } // n = 4, score = 800 // c1e910 | shr ecx, 0x10 // 0fb6d1 | movzx edx, cl // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 8b0481 | mov eax, dword ptr [ecx + eax*4] $sequence_10 = { ff75ec e8???????? 59 83f8ff 7509 c745fc09000000 } // n = 6, score = 800 // ff75ec | push dword ptr [ebp - 0x14] // e8???????? | // 59 | pop ecx // 83f8ff | cmp eax, -1 // 7509 | jne 0xb // c745fc09000000 | mov dword ptr [ebp - 4], 9 $sequence_11 = { 8b4d08 81c190000000 894df4 8b5508 } // n = 4, score = 800 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 81c190000000 | add ecx, 0x90 // 894df4 | mov dword ptr [ebp - 0xc], ecx // 8b5508 | mov edx, dword ptr [ebp + 8] $sequence_12 = { c1e908 0fb6c1 8b4df4 33948100080000 0fb645ec 8b4df4 039481000c0000 } // n = 7, score = 800 // c1e908 | shr ecx, 8 // 0fb6c1 | movzx eax, cl // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 33948100080000 | xor edx, dword ptr [ecx + eax*4 + 0x800] // 0fb645ec | movzx eax, byte ptr [ebp - 0x14] // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 039481000c0000 | add edx, dword ptr [ecx + eax*4 + 0xc00] $sequence_13 = { ffd7 85c0 7503 895df8 5f } // n = 5, score = 800 // ffd7 | call edi // 85c0 | test eax, eax // 7503 | jne 5 // 895df8 | mov dword ptr [ebp - 8], ebx // 5f | pop edi $sequence_14 = { e8???????? 8b450c 8b4d10 8945d4 b824080000 } // n = 5, score = 800 // e8???????? | // 8b450c | mov eax, dword ptr [ebp + 0xc] // 8b4d10 | mov ecx, dword ptr [ebp + 0x10] // 8945d4 | mov dword ptr [ebp - 0x2c], eax // b824080000 | mov eax, 0x824 $sequence_15 = { 83cefe 46 8a10 8b4d08 } // n = 4, score = 800 // 83cefe | or esi, 0xfffffffe // 46 | inc esi // 8a10 | mov dl, byte ptr [eax] // 8b4d08 | mov ecx, dword ptr [ebp + 8] condition: 7 of them and filesize < 5316608 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY